How to sign data within policy logic

Tactical assertion 'Generate Security Hash' is an APIM Gateway extension available from CA Support. It allows any data to be signed thus providing the ability to build security tokens that are not supported by out of the box assertions. This document provides a simple example of how it can sign data which can then be validated outside of the gateway.

Environment:

The policy was tested on an 8.3 APIM Gateway.

Instructions:

The following steps illustrate a simple policy that use's 'Generate Security Hash' and how it can be verified via opensll.

1) Created a private key on the gateway (via policy manager) and exported the key (test.p12) and the certificate (test.public.pem) and move the files to a linux prompt.

2) Then use the following command to convert the private key:-

openssl pkcs12 -in test.p12 -nodes -out test.key

3) Create a test file to sign, the -n options makes sure a line feed is not added to the end of the file:-

echo -n "The quick brown fox jumps over the lazy dog"

4) We can then use this to sign the data (data.unsigned) and place the output in data.sha256. The text is data.unsigned is "The quick brown fox jumps over the lazy dog".

openssl dgst -sha256 -sign test.key -out data.sha256 data.unsighed

5) Next we start to verify, first we obtain the public key from the certificate we exported from the gateway:-